Debian-10-minimal Configuration

Interesting. I was led to believe that Debian often had newer versions of packages than Fedora, but after checking a few common programs, it appears that is not really the case.

Ah, I was using a site that compares package versions across distros, but it does not include the Debian security updates repo, which has some newer packages, so it is not quite as bad as I thought. However, even taking this into account, Fedora stable does still appear to have newer versions than Debian stable for some popular packages.

I’d have some question about your awesome description:

I like XTerm, so I am setting it as default template and shutdown the template:

Isn’t XTerm the default terminal emulator? I think you wanted to write default terminal emulator instead of default template. Or not?

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’–force-confdef’ -o Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation command linked above: does it apply to the apt-cacher-ng installation, so you basically not allow the http tunnel?

If i’m not using the apt-cacher-ng right now, but i’d like to use it and installing it to the sys-firewall template: when do i need to apply these commands:

If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or after i’ve created the sys-firewall template and installed apt-cacher-ng package?

Unfortunately i get an error when trying to run sys-firewall’s installing command:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’-force-confdef’ -o Dpkg::Options::=’-force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”

The above command was copied from my dom0 terminal after i typed and executed it, and this was the output:

Fetched 19.2 MB in 7s (2,744 kB/s)
dpkg: error: unknown option -o

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
E: Sub-process /usr/bin/dpkg returned an error code (2)

Is there any way i could copy and paste commands to dom0 just to be sure i don’t mistype anything? Or is there maybe any problem with the command itself?

Thanks any help!

I like XTerm, so I am setting it as default template and shutdown
the template:

Isn’t XTerm the default terminal emulator? I think you wanted to
write default terminal emulator instead of default template. Or not?

You are right, this should have been “setting it as default terminal
emulator”. I can’t edit the original post anymore, but I think in
context it is still understandable what I meant. Thank you for pointing
it out!

“DEBIAN_FRONTEND=‘noninteractive’ apt-get -y
-o

Dpkg::Options::=’–force-confdef’ -o
Dpkg::Options::=’–force-confold’ install

When creating sys-firewall’s template the part of the installation
command linked above: does it apply to the apt-cacher-ng
installation, so you basically not allow the http tunnel?

In this specific case that is the effect. What the command does is to
install whatever follows with it’s defaults but it won’t overwrite
already existing configurations. This way you won’t have to interact.

If i’m not using the apt-cacher-ng right now, but i’d like to use it
and installing it to the sys-firewall template: when do i need to
apply these commands:

If you are using apt-cacher-ng already, you will need these lines
(if you don’t know what that is, skip it)

qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i –
‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

When i cloned the debian-10-minimal template to tpl-deb-10-min, or
after i’ve created the sys-firewall template and installed
apt-cacher-ng package?

It will be rather obvious when you need them. After you installed
apt-cacher-ng correctly and it has taken over the role of tinyproxy you
will see error messages when calling ‘apt’ because it no longer gets a
connection to https repositories.

That’s when you need to change all the URLs from https:// to
http://HTTPS/// which the above commands accomplish.

Thanks any help!

You are very welcome. @unman is the one maintaining these templates, he
wrote the notes most of this is based on and has answered patiently all
my questions. All credit goes to him, all mistakes are mine.

1 Like

Thanks for clarifying my questions for me!

Could you maybe address my last question about the sys-firewall’s installation command? I’m not sure if i mistyped something or there is something else. Or is it a command coming from @unman and i should ask himself?

Could you maybe address my last question about the sys-firewall’s
installation command?
You need to change the URLs in …

  • /etc/apt/sources.list
  • all *.list files in the /etc/apt/sources.list.d directory
  • of all templates

after you installed apt-cacher-ng in sys-firewall according to
unman’s notes.

Be warned: if you do so your Fedora qubes won’t update anymore without
additional work with apt-cacher-ng configuration. It’s not an issue for
me as I don’t use Fedora qubes, but if you do there is more work ahead
of you.

So if you go ahead you need to apply the commands not only to
tpl-deb-10-min but to all of your debian based templates.

Sorry, i think i wasn’t too specific with my latest post. I’m stuck at the installation stage. In dom0 if i type the command after cloning the tpl-deb-10-min to tpl-deb-10-sys-firewall:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall “DEBIAN_FRONTEND=‘noninteractive’ apt-get -y -o Dpkg::Options::=’-force-confdef’ -o Dpkg::Options::=’-force-confold’ install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng”`

I got this error:

Fetched 19.2 MB in 7s (2,744 kB/s)
dpkg: error: unknown option -o

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
E: Sub-process /usr/bin/dpkg returned an error code (2)

And i’m not able to pass through the error. That’s why i thought maybe i mistyped the command, or there is something else.

Hi @onequbesuser from your other posting I conclude you have meanwhile figured it out and successfully installed everything. But for the sake of other readers let me answer here: The only thing weird with your command are the actual quote signs and that might be introduced by the forum. Also there was one additional single quote at the end that didn’t belong there but that too might be an artifact of trying to format things as ‘preformated text’ here.

Here is how is should look:

qvm-run --pass-io -u root tpl-deb-10-sys-firewall "DEBIAN_FRONTEND='noninteractive' apt-get -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng"

1 Like

Thanks! While i really almost installed everything i wanted with the minimal debian, the sys-* VMs are waited for this. I will try the command tomorrow and will report back!

Thanks for putting the instructions together!

1 Like

I’m not sure what was the problem witht the first command at the beginning of the thread, but with this one it’s worked fine. Thanks!

1 Like

Hello sven, is there any reason why you cloning many vm? Instead of using template based?

I think that Sven clones many templates from a minimal template, (and
possibly also clones many VMs.)
I do the same.

I do this to minimise the attack surface in each TemplateBasedVM, by
only having the applications and libraries that are relevant to that
qube or qube type.
Using a caching proxy minimises the pain of having multiple templates.

4 Likes

Indeed, I clone from the minimal template and then install a specific feature or app.

Advantages as @unman already pointed out:

  • reduced attack surface
  • reduced memory requirements
  • allows for much more fine grained compartmentalization (e.g my “work” domain consists of a mail qube, several specialized web qubes, several project qubes with dev tools, a teams qube and a windows qube).

Totally just borrowed your reply to add that to the docs. Hope you don’t mind.

1 Like

3 posts were split to a new topic: What Threats do Minimal Templates Protect Against?

Just out of curiosity @Sven do you find any situations where the full Debian templates are preferable to the minimal templates?

They are preferable at least when the user does not want to deal with configuration at all and just wants to use the system :slight_smile: (and the threat model is less strict of course)

I have come to appreciate Debian over Fedora in general for:

  • longer release cycles / less upgrades
  • more stability

That is true for all Debian templates. If one doesn’t have the need or inclination to configure many minimal-based templates, Debian full is certainly a good choice.

2 Likes

Hello @Sven . Thanks for your posts here, I was now able to change most of the templates to debian-10-minimal and that is just great.

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

@user45507 asked:

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

online-dvm based on deb-10-web template (firefox only)
offline-dvm based on deb-10-office template (libreoffice, evince, vlc)

offline-dvm is the default disposable tempalte.
deb-10-office is only used for offline-dvm.

qubes.OpenURL policy is set to always ask, so that’s when I select ‘Disposable (online-dvm)’

Works great!

2 Likes